By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,640 Members | 1,672 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,640 IT Pros & Developers. It's quick & easy.

I'm Coming Back as I\'m - why?

P: n/a
When I send text in a textbox to the server and retrieve into a PHP
var, I'm comes back as I\'m - what is causing this slash and how can I
get rid of it?

Thanks...

Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Carved in mystic runes upon the very living rock, the last words of Ralph
Freshour of comp.lang.php make plain:
When I send text in a textbox to the server and retrieve into a PHP
var, I'm comes back as I\'m - what is causing this slash and how can I
get rid of it?


You have magic_quotes_gpc turned on in your PHP config. Turn it off.

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/
Jul 17 '05 #2

P: n/a
I noticed that Message-ID: <Xn**************************@216.196.97.132>
from Alan Little contained the following:
When I send text in a textbox to the server and retrieve into a PHP
var, I'm comes back as I\'m - what is causing this slash and how can I
get rid of it?


You have magic_quotes_gpc turned on in your PHP config. Turn it off.


Actually, don't.

Use stripslashes($textbox_var)

--
Geoff Berrow
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jul 17 '05 #3

P: n/a
Geoff Berrow wrote:
I noticed that Message-ID: <Xn**************************@216.196.97.132>
from Alan Little contained the following:
When I send text in a textbox to the server and retrieve into a PHP
var, I'm comes back as I\'m - what is causing this slash and how can I
get rid of it?


You have magic_quotes_gpc turned on in your PHP config. Turn it off.


Actually, don't.

Use stripslashes($textbox_var)


Why? Surely it's better to not convert the input data in the first place
unless required? I've never understood the reasoning behind it defaulting
to on.

--
Jim Dabell

Jul 17 '05 #4

P: n/a
I noticed that Message-ID: <Ms********************@giganews.com> from
Jim Dabell contained the following:
You have magic_quotes_gpc turned on in your PHP config. Turn it off.


Actually, don't.

Use stripslashes($textbox_var)


Why? Surely it's better to not convert the input data in the first place
unless required? I've never understood the reasoning behind it defaulting
to on.


The chap is probably a newbie. Best to play safe.

--
Geoff Berrow
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jul 17 '05 #5

P: n/a
Geoff Berrow <bl******@ckdog.co.uk> wrote:
You have magic_quotes_gpc turned on in your PHP config. Turn it off.
Actually, don't.

Why?

The chap is probably a newbie. Best to play safe.


Please explain why you think magic_quotes_gpc would increase safety?

--

Daniel Tryba

Jul 17 '05 #6

P: n/a
Daniel Tryba wrote:
Geoff Berrow <bl******@ckdog.co.uk> wrote:
>You have magic_quotes_gpc turned on in your PHP config. Turn it off.

Actually, don't.

Why?


The chap is probably a newbie. Best to play safe.

Please explain why you think magic_quotes_gpc would increase safety?


unescaped special characters in a string can be used to send arbitrary
code to the server. this is dangerous in many ways if exploited
correctly it can most definitely represent a security breach.

for example if I know the string is used to run a command line process
with say something like :

exec("ls $dir", $dirlist, $error );

I can pass it a string that will do anything I want. You may think it is
limited to a "ls" command, but just see what happens if I send it a
string like this " joe; touch myfile; cat ~/.bash_history; rm
~/.bash_history"

see suddenly I have all sorts of control I shouldn't. The similar things
can be done with fields going to a database, by sending it a "';" to
end one SQL command and start sending others...

--
/---+----+----+----+----+----+----++----+----+----+----+----+----+---\
I ph***********@libertydice.org II No nation was ever ruined by I
I http://www.libertydice.org II trade, even seemingly the most I
I remove "3d6" to e-mail II disadvantageous. - Ben Franklin I
\---+----+----+----+----+----+----++----+----+----+----+----+----+---/

Jul 17 '05 #7

P: n/a
Pham Nuwen <ph***********@libertydice.org> wrote:
The chap is probably a newbie. Best to play safe. Please explain why you think magic_quotes_gpc would increase safety?


unescaped special characters in a string can be used to send arbitrary
code to the server. this is dangerous in many ways if exploited
correctly it can most definitely represent a security breach.

[ls exanple] see suddenly I have all sorts of control I shouldn't. The similar things
can be done with fields going to a database, by sending it a "';" to
end one SQL command and start sending others...


You prove the point of disabling magic_quotes_gpc exactly. The ls example
shows that all kind of characters have to be escaped (like (but propable
not limited to) ';', '*', '/', '?').

An other example is the use of textarea's (like the OP(?)), you have to
html escape the users input (including quotes) when displaying it again
in a browser.

IMHO magic_quotes_gpc lulls the user into thinking the data is safe. The
escaping of characters is very important and what to escape is
different for all kinds of use, but no magic_*_escape_thingy exists for
most.

--

Daniel Tryba

Jul 17 '05 #8

P: n/a
Carved in mystic runes upon the very living rock, the last words of Pham
Nuwen of comp.lang.php make plain:
Daniel Tryba wrote:

see suddenly I have all sorts of control I shouldn't. The similar
things can be done with fields going to a database, by sending it a
"';" to end one SQL command and start sending others...


I've tried that with MySQL (on my own databases, of course!) and it doesn't
work. I'm only able to send one query at a time.

--
Alan Little
Phorm PHP Form Processor
http://www.phorm.com/
Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.